Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Jun 27, 2018

Enforcement Readiness Summary and HTTP Protocol Compliance

Hi,

 

I can understand logic of info in this widget for most of the Entity types but can't figure out what is logic for mentioned type.

 

After Enforcement Readiness Period passed my not triggered signatures are listed in Ready To Be Enforced column.

 

However nothing is listed for HTTP Protocol Compliance.

 

I am using Rapid Deployment policy building (Manual learning) with default settings (v13.1.0.7).

 

Result of those settings is (in Learning and Blocking Settings) for HTTP protocol compliance failed section:

 

  • Learn, Alarm, Block - checked (as listed for HTTP protocol compliance failed in Blocking Settings)
  • 5 violations with Enable selected (I manually enable two more, originally only 3 are enabled)
  • 11 with Learn checked

In Enforcement Readiness Summary section such values are displayed:

 

  • Learn New Entities: N/A
  • Total: 19 (matches number of violations of this type on Learning and Blocking Settings)
  • Not Enforced: 9 - can't figure how it's calculated. Learn enabled (11)-Enabled (5) not, Total (19) - Learn enabled (11) not, any idea?
  • Not Enforced And Have Suggestions: N/A
  • Ready To Be Enforced: 0

2 violations where triggered by request - at least when using filter on Traffic Learning page (Type: HTTP Protocol Compliance; Score: 0-100 - this filter returns 11 suggestions so it equals number of violations with Learn checked) only two has any requests than can be checked, rest just reports [number] requests triggered this suggestion instead of [number] sample requests out of [number] that triggered the suggestion - I assume that only suggestions with such info are based on actual request received.

 

Question is why:

 

  • Not Enforced And Have Suggestions: 0 - for me it should be 2 - actual requests triggered two violations and I have suggestions for that even if I marked those as Enabled after seeing suggestions (via Learning and Blocking Settings) *Ready To Be Enforced: N/A - why N/A, should be some number because another violations marked with learn were never triggered by any request. For me it should be at least 9-2 = 7 or rather 11-2 = 9

Example info in suggestions for not triggered violations is: * Action: Enable HTTP Check * Matched HTTP Check: Bad host header value

 

Why Matched HTTP Check is listed when no request matched anything like that?

 

Any help appreciated,

 

Piotr

 

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Hi Piotr, i can't explain the 9 "Not Enforced" configuration I'm afraid, looks odd to me. I'm probably being too simplistic here, but Enforcement Readiness and whether you Enforce, or items are Ready to be Enforced, is just a simple way of removing the Staging check against an item. Staging is there to not block whilst ASM learns the properties of that item, i.e. the query length of an allowed File Type. Because HTTP Protocol Compliance (and Evasion Techniques) don't have properties then there is no Staging check for them. Hence N/A against enforcing these items. For me, this makes sense.

     

    Obviously the 9 doesn't make sense, can you click on this number?

     

    Not sure about the Bad Host Header bit, can you confirm this again please?

     

    N

     

  • Hi,

     

    N/A makes a bit of sense here but then why to place this Entity Type in Enforcement Readiness Summary (ERS) widget? A bit confusing.

     

    Even if HTTP Protocol Compliance has no staging it has Enable checkbox - in the end checking this is very similar to unchecking Staging for Signatures - when Enable is checked given violation is in fact enforced - at least this is how I understand final result - request not passing given compliance check are blocked - like request containing enforced signatures.

     

    Again that is creating a bit of confusion for me. Even if we will follow the logic that there is no staging for HTTP compliance then why there is 0 (instead of N/A) in Ready To Be Enforced column?

     

    Seems that 9 is result of: number of violations with Learn - number of violations with Enable manually set (additional to 3 enabled by default, those 3 seems not be counted here - those as well do not have Learn checkbox, only Enable)

     

    Clicking on numbers in both Total and Not Enforced column just direct to Learning and Blocking Settings (LABS) page with HTTP protocol compliance failed section extended, nothing more.

     

    Considering Bad Host Header, this is just example what is shown when filter icon in front of HTTP Protocol Compliance row in ERS widget is clicked.

     

    For all violations marked with Learn on LABS page we have suggestions. See screen:

     

     

    You can see that suggestions are listed for all violations (with Learn checked) - even if no request triggered violation. Maybe this is because all of then are marked as Policy Tightening Suggestions - those do not need any request to be listed?

     

    Still there should be any info in Ready To Be Enforced column indicating number of violations that was never triggered during ERP - don't you think?

     

    And why there is info 265 request triggered this suggestion - 265 request is total number of request processed by policy from the moment it was activated, but no request actually was reported as triggering violation (this is exactly the same for all other suggestions).

     

    It only changes when given violation is Enabled. When only Learn is checked nothing is displayed in Even Log as well as in suggestion for given violation.

     

    I did test sending request with two Host headers (should trigger Multiple host headers) - no info about violation in Event Log, no info about actual request triggering suggestion in Traffic Learning - not really useful for figuring out if request are not compliant...

     

    Don't really get logic here :-( Same situation seems to be for Evasion Technique detected.

     

    Piotr

     

  • OK, I did some more tests. Logic for HTTP protocol compliance learning is quite odd and different than for other entities.

     

    Only way I found to actually see if any request is not compliant is like that:

     

    • Policy in Transparent
    • Enable checked for all compliance test that we like to evaluate (when all compliance test with Learn has as well Enable checked 0 is listed in Not Enforced column)

    Other way is to keep policy in Blocking and disable Block for HTTP protocol compliance failed.

     

    I don't get why this violation type is handled in such different way than others.

     

    Piotr

     

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      Hi Piotr yes indeed I fully agree that the HTTP protocol compliance learning is quite strange, for example F5 recommends to enable a HTTP compliance feature which only has the learn checkbox selected, the HTTP compliance itself is in learn, alarm, block mode as well as the ASM policy itself.

       

      ASM recommends in traffic learning to enable a feature in HTTP compliance (in particular POST request with Content-Length: 0). While enabling this feature it will cause a lot of blocks of legitimate traffic. So I can conclude that the traffic suggestion is completely wrong and F5 ASM HTTP compliance should also report the violation while the HTTP compliance feature is only in learn mode, I guess I have to check this with F5 support.

  • BZM's avatar
    BZM
    Icon for Nimbostratus rankNimbostratus

    I've often wondered about this for HTTP protocol compliance and evasion techniques. I came across these release notes:

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-0-6.html

     

    Notably:

    761553-2 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

     

    Symptoms:

    Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

     

    X requests triggered this suggestion from date:time until date:time.

     

    Actually:

    -- 'X requests' did not trigger a violation, and no sampled are requests provided.

     

    -- The format of the time in 'from date:time until date:time' is difficult to parse.

     

    Conditions:

    There are suggestions that were created as result of an absence of violations in traffic in the policy.

     

    Impact:

    Text might be misleading.

     

    Fix:

    Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic

     

    I hope this helps for anyone else that stumbles across this thread.

     

    Ethan